Skip to content

feat: allow custom protocols for app href #2575

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: dev
Choose a base branch
from
Open

feat: allow custom protocols for app href #2575

wants to merge 2 commits into from

Conversation

frankvHoof93
Copy link

Allow other protocols (such as ftp://, steam://, rdp://) whilst still blocking javascript.


Homarr

Thank you for your contribution. Please ensure that your pull request meets the following pull request:

  • Builds without warnings or errors (pnpm build, autofix with pnpm format:fix)
  • Pull request targets dev branch
  • Commits follow the conventional commits guideline
  • No shorthand variable names are used (eg. x, y, i or any abbrevation)

@frankvHoof93 frankvHoof93 requested a review from a team as a code owner March 11, 2025 22:16
@deepsource-io deepsource.io
Copy link

deepsource-io bot commented Mar 11, 2025
edited
Loading

Here's the code health analysis summary for commits f39a21c..6680098. View details on DeepSource ↗.

Analysis Summary

AnalyzerStatusSummaryLink
DeepSource JavaScript LogoJavaScript✅ SuccessView Check ↗
💡 If you’re a repository administrator, you can configure the quality gates from the settings.

@frankvHoof93 frankvHoof93 mentioned this pull request Mar 11, 2025
Open
@manuel-rw manuel-rw added good first issue Good for newcomers help wanted Extra attention is needed labels Mar 17, 2025
@ajnart
Copy link
Contributor

ajnart commented Apr 15, 2025

We already saw that users will always find new ways to use homarrr, having this restriction to only HTTP in the first place is restrictive, we could just define proper CSP rules so that it shows "VM1705:1 Refused to run the JavaScript URL because it violates the following Content Security Policy" error.

Either way we are not responsible for anyone's use of homarr, i'd remove the validation and expect my users to be smart enough to understand that a link is meant to be used there

@manuel-rw
Copy link
Member

manuel-rw commented Apr 28, 2025
edited
Loading

I made some research and believe that CSP should be enough to protect the user. I will update the PR...
Review with https://report-uri.com/home/generate

@frankvHoof93 @manuel-rw
feat: Update Validation for Apps
fa004b3 
Allow other protocols (such as ftp://, steam://, rdp://) whilst still blocking javascript.
@manuel-rw manuel-rw force-pushed the feat/allow-other-app-protocols branch from cb62455 to 7e76590 Compare April 28, 2025 19:53
@manuel-rw manuel-rw self-assigned this Apr 28, 2025
@manuel-rw manuel-rw added enhancement New feature or request and removed help wanted Extra attention is needed good first issue Good for newcomers labels Apr 28, 2025
@manuel-rw manuel-rw changed the title feat: Update Validation for Apps feat: allow custom protocols for app href Apr 28, 2025
@manuel-rw manuel-rw force-pushed the feat/allow-other-app-protocols branch from 7e76590 to 6680098 Compare April 28, 2025 19:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@StancuFlorin StancuFlorin StancuFlorin left review comments

@manuel-rw manuel-rw manuel-rw left review comments

@Meierschlumpf Meierschlumpf Meierschlumpf left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@manuel-rw manuel-rw

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@frankvHoof93 @ajnart @manuel-rw @StancuFlorin @Meierschlumpf